±Forensic Focus Partners
New Today: 3
New Yesterday: 5
±Forensic Focus Partner Ads
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
Forensic Analysis of the Windows RegistryBack to top Back to main Skip to menu
Forensic Analysis of the Windows Registry
School of Computer and Information Science, Edith Cowan University
Windows registry contains lots of information that are of potential evidential value or helpful in aiding forensic examiners on other aspects of forensic analysis. This paper discusses the basics of Windows XP registry and its structure, data hiding techniques in registry, and analysis on potential Windows XP registry entries that are of forensic values.
Windows registry, forensic analysis, data hiding
Figure 1 shows Windows registry logical view from Register Editor (Windows default register editor). Each folder in the left key pane is a registry key. The right panes show the key's value. Subkey is used to show the relationship between a key and the keys nested below it. Branch refers to a key and all its subkeys. Windows uses symbolic link (i.e. similar to file system's shortcut) to link a key to a different path which allows the same key and its values to appear at two different paths (Russinovich, 1999).
Figure 1: Windows Registry Logical View Key